Compass Security Bug Bounty Program
Program Overview
Compass is headquartered in Rapperswil-Jona, at the head-end of lake Zurich, Switzerland, with offices in Berlin, Basel, Bern, and Zurich. We specialize in penetration testing, red teaming, social engineering, monitoring, incident response and digital forensics. We aim at assisting clients in gauging the robustness of their IT systems against cyber threats, and recommending ways to bolster security measures. Given that, we believe in responsible vulnerability disclosure not only for our many published advisories but also for our very own IT and thus encourage hunters to help us stay ahead of cyber criminals.
Bounty Information
| Metric | Value |
|---|
| Max. Bounty | CHF 5000 |
| Min. Bounty | CHF 100 |
| Avg. Bounty | CHF 175 |
| Budget | no-cap |
Terms, Rules & Standards
This program follows the Platform Standards and the Terms and Conditions. Please review both documents before testing or submitting any reports. They define general rules of engagement, eligibility for bounty rewards, netiquette, confidentiality requirements, and further legal guidelines that apply to all participants.
Asset Lists and Reward Structure
High Risk
- Low: CHF 300
- Medium: CHF 300–640
- High: CHF 640–2560
- Critical: CHF 2560–5000
Targets:
- fb.compass-security.com
- secure.compass-security.com
- vpn01.compass-security.com
- vpn02.compass-security.com
- vpn03.compass-security.com
- vpn06.compass-security.com
- vpn07.compass-security.com
- vpn08.compass-security.com
- vpn09.compass-security.com
- ir.compass-security.com
- *.ir.compass-security.com
- deli.securelogon.ch
- meta.securelogon.ch
- osiris.securelogon.ch
- meta.de.securelogon.ch
- osiris.de.securelogon.ch
- zimbra.securelogon.ch
- www.filebox-solution.com
- repo.filebox-solution.com
- clamav.filebox-solution.com
- update.filebox-solution.com
- fbngupdate.filebox-solution.com
Medium Risk
- Low: CHF 200
- Medium: CHF 200
- High: CHF 200–512
- Critical: CHF 512–1000
Targets:
- feedback.compass-security.com
- apps.gitext.compass-security.com
- sak.gitext.compass-security.com
- ns1.compass-security.com
- ns2.compass-security.com
- mx.security-assessments.com
- www.security-assessments.com
Low Risk
- Low: CHF 100
- Medium: CHF 100
- High: CHF 100–256
- Critical: CHF 256–500
Targets:
- *.compass-security.com
- *.filebox-solution.com
- *.security-assessments.com
- *.securelogon.ch
- 49.13.86.27
- 80.74.140.133
- 195.48.51.28
- 195.49.25.132
- 206.189.248.203
- 195.48.51.24/29
- 195.49.6.216/29
- 195.49.6.224/29
- 195.49.25.128/26
- 195.49.25.192/26
- 2a01:02a8:3319::/48
- 2a01:02a8:1981::/48
- 2a01:02a8:19c1::/48
Excluded Items
The bug bounty exclusion list comprises targets that are excluded from the program, and no rewards will be granted for reported vulnerabilities on these targets:
- *.compass-demo.com hosting deliberately vulnerable training and demo apps
- *.compass-security.training providing access to deliberately vulnerable lab environments on Azure
- Any phishing exercise pages
- Code on Compass Security resources on GitHub, GitLab, Docker Hub etc.
- Any 3rd Party-Services (M365, O365, Atlassian, Azure, etc.)
- Everything belonging to Hacking-Lab, please visit the Hacking-Lab Bug Bounty Program
Specific Program Rules
- Any domain not listed in the scope but resolving to the provided IP ranges is likely one of our phishing exercise domains. Do not touch these. Do not fill credentials.
Acknowledgement
Compass Security may give public acknowledgment to individuals who have identified significant vulnerabilities under the program and received bounties. Compass Security might choose to acknowledge you on websites or printed materials, unless you specifically request your name to be excluded.